хотелось бы услышать критики
Код: Выделить всё
ext1_if= #192.168.100.101
ext2_if= #192.168.101.101
ext3_if= #SHDSL
club_if="stge0"
local_if="rl1"
local_net="192.168.3.0/24"
club_net="192.168.1.0/24"
vpn_net="192.168.5.0/24"
local_vip="192.168.3.242"
utk_net="62.183.88.0/22,83.239.244.0/22,85.172.164.0/22,85.172.80.0/21,85.173.144.0/20"
set block-policy drop
set skip on lo0
scrub in all fragment reassemble
scrub out all random-id max-mss 1440
nat on $ext1_if inet from { $club_net, $vpn_net, $local_net } to any -> 192.168.100.101
nat on $ext2_if inet from { $club_net, $vpn_net, $local_net } to any -> 85.173.150.xx
nat on $ext3_if inet tagged SHDSL -> 85.172.81.19
antispoof quick for { $club_if, $local_if, $ext_if }
blocl all
############################################################
# club_if
############################################################
pass in quick on $club_if from $club_net to { $club_net, $local_net, $vpn_net }
pass out on $club_if from any to $club_net
pass in on $club_if route-to ($ext3_if 85.172.81.17) proto tcp from $club_net to $utk_net flags S/SA modulate state tag SHDSL
pass in on $club_if route-to ($ext3_if 85.172.81.17) proto { udp, icmp } from $club_net to $utk_net keep state tag SHDSL
pass in on $club_if route-to ($ext2_if 85.173.150.1) proto tcp from $club_net to any port { 8086, 7777, 2106} flags S/SA modulate state
pass in on $club_if route-to ($ext2_if 85.173.150.1) proto udp from $club_net to any port 1513 keep state
pass in on $club_if route-to { ($ext1_if 192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto tcp from $club_net to any flags S/SA modulate state
pass in on $club_if route-to { ($ext1_if 192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto { udp, icmp } from $club_net to any keep state
############################################################
# local_if
############################################################
pass in quick on $local_if from $local_net to { $club_net, $local_net, $vpn_net }
pass out on $local_if from any to $local_net
pass in on $local_if route-to ($ext3_if 85.172.81.17) proto tcp from $local_vip to $utk_net flags S/SA modulate state tag SHDSL
pass in on $local_if route-to ($ext3_if 85.172.81.17) proto { udp, icmp } from $local_vip to $utk_net keep state tag SHDSL
pass in on $local_if route-to { ($ext1_if 192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto tcp from $local_vip to any flags S/SA modulate state
pass in on $local_if route-to { ($ext1_if 192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto { udp, icmp } from $local_vip to any keep state
###################################################################
############################################################
# vpn_if
############################################################
pass in quick from $vpn_net to { $club_net, $local_net, $vpn_net }
pass out from any to $vpn_net
pass in route-to ($ext3_if 85.172.81.17) proto tcp from $vpn_net to $utk_net flags S/SA modulate state tag SHDSL
pass in route-to ($ext3_if 85.172.81.17) proto { udp, icmp } from $vpn_net to $utk_net keep state tag SHDSL
pass in route-to { ($ext1_if 192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto tcp from $vpn_net to any flags S/SA modulate state
pass in route-to { ($ext1_if 192.168.100.102), ($ext2_if 85.173.150.1) } round-robin \
proto { udp, icmp } from $vpn_net to any keep state
###################################################################
pass out on $ext1_if proto tcp from any to any flags S/SA modulate state
pass out on $ext1_if proto { udp, icmp } from any to any keep state
pass out on $ext2_if proto tcp from any to any flags S/SA modulate state
pass out on $ext2_if proto { udp, icmp } from any to any keep state
pass out on $ext3_if proto tcp from any to any flags S/SA modulate state
pass out on $ext3_if proto { udp, icmp } from any to any keep state
pass out on $ext1_if route-to ($ext1_if 192.168.100.102) inet proto icmp from {$ext1_if, $ext2_if} to {193.239.250.34, 199.202.238.18} #ping www.ua, #www.net
pass out on $ext2_if route-to ($ext1_if 192.168.100.102) inet proto icmp from {$ext1_if, $ext2_if} to {193.239.250.34, 199.202.238.18} #ping www.ru
pass out on $ext1_if route-to ($ext2_if 85.173.150.1) inet proto icmp from {$ext1_if, $ext2_if} to {194.87.0.50}
pass out on $ext2_if route-to ($ext2_if 85.173.150.1) inet proto icmp from {$ext1_if, $ext2_if} to {194.87.0.50}
pass out on $ext1_if route-to ($ext2_if 85.173.150.1) from $ext2_if to any
pass out on $ext2_if route-to ($ext1_if 192.168.100.102) from $ext1_if to any
pass out on $ext3_if route-to ($ext3_if 85.172.81.17) from 85.172.81.19 to any